Skip to content

build(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0#5344

Merged
shreyas-goenka merged 1 commit into
mainfrom
bump-crypto-0.52.0
Jun 1, 2026
Merged

build(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0#5344
shreyas-goenka merged 1 commit into
mainfrom
bump-crypto-0.52.0

Conversation

@shreyas-goenka
Copy link
Copy Markdown
Contributor

@shreyas-goenka shreyas-goenka commented May 27, 2026
edited
Loading

Summary

Bump golang.org/x/crypto from 0.51.0 to 0.52.0 to address CVE-2026-39827 (CVSS 6.5). go mod tidy transitively bumps golang.org/x/net 0.53.0 -> 0.54.0 and golang.org/x/sys 0.44.0 -> 0.45.0.

Context

The CVE is in golang.org/x/crypto/ssh server code (memory exhaustion via repeatedly rejected channels by an authenticated client) — the CLI does not run an SSH server, so it is not exploitable here. We only use ssh.NewPublicKey / ssh.MarshalAuthorizedKey in experimental/ssh/internal/keys/keys.go. Bumping anyway to clear the CVE scanners.

0.52.0 known issues check

One open issue against v0.52.0: golang/go#79658 — spinloop in x/crypto/ssh (*channel).SendRequest. We do not call into SSH channels, so this does not affect the CLI.

Test plan

  • ./task build
  • go test ./experimental/ssh/... (only place we use x/crypto)
  • CI

This pull request and its description were written by Isaac.

@shreyas-goenka shreyas-goenka marked this pull request as ready for review May 27, 2026 12:21
@eng-dev-ecosystem-bot
Copy link
Copy Markdown
Collaborator

eng-dev-ecosystem-bot commented May 27, 2026
edited
Loading

Commit: b3aeb5e

Run: 26726210852

@pietern pietern temporarily deployed to test-trigger-is May 28, 2026 08:47 — with GitHub Actions Inactive
@pietern pietern temporarily deployed to test-trigger-is May 28, 2026 08:47 — with GitHub Actions Inactive
@shreyas-goenka
build(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0
b3aeb5e 
Addresses CVE-2026-39827 in golang.org/x/crypto/ssh server code (memory
exhaustion via rejected channels). The CLI does not run an SSH server, so
this is not exploitable here, but a customer security scanner flags the
binary regardless. Bumping unblocks them.

Transitively bumps golang.org/x/net 0.53.0 -> 0.54.0 and
golang.org/x/sys 0.44.0 -> 0.45.0 via go mod tidy.

Co-authored-by: Isaac
@shreyas-goenka shreyas-goenka mentioned this pull request May 31, 2026
Open
@shreyas-goenka shreyas-goenka requested a review from pietern May 31, 2026 22:37
@shreyas-goenka shreyas-goenka added this pull request to the merge queue Jun 1, 2026
Merged via the queue into main with commit 3a714e3 Jun 1, 2026
30 checks passed
@shreyas-goenka shreyas-goenka deleted the bump-crypto-0.52.0 branch June 1, 2026 11:12
@eng-dev-ecosystem-bot
Copy link
Copy Markdown
Collaborator

eng-dev-ecosystem-bot commented Jun 1, 2026

Commit: 3a714e3

Run: 26751406470

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonfaltum simonfaltum simonfaltum approved these changes

@pietern pietern Awaiting requested review from pietern

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shreyas-goenka @eng-dev-ecosystem-bot @simonfaltum @pietern